I’m following the odin project to learn web development. I had read about malicious packages in npm multiple times, so I avoided it until now. I’m on the webpack lesson now, and to use webpack, I need to install it using npm. I also see that it has many dependencies, and those dependencies will have other depenedencies and so on.
Why is it like this? Is there any other tool like webpack that doesn’t require npm? Or rather, can someone clarify how to properly use npm or link a guide that explains it? I have this kind of fear and reluctance about using npm after all the things I read.
Finding a Webpack replacement that doesn’t use NPM at all is going to be hard, but there are certainly alternatives that don’t require the 1000+ NPM dependencies required to use Webpack.
Some alternatives you can consider are Rsbuild and Farm. Part of the reason they use so much fewer NPM dependencies is because they’re written in Rust, so they’ll have Cargo dependencies instead, but you shouldn’t notice anything of that. Of course if you want to audit everything it’s not that much easier, but at least the Cargo ecosystem seems to have avoided quite some of the mistakes that NPM made. But yes, in the end it still comes down to the extent that you trust your dependencies.